Get Started


5 min read

PCI Compliance Levels:  Developing an Effective PCI Compliance Strategy

Aug 29, 2017 9:00:00 AM

PCI Compliance.jpg4 PCI Compliance Levels

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect customer credit card data by maintaining a secure credit card processing environment.  Businesses that are not PCI compliant may be subject to fines, sanctions, and loss of privileges from the clearinghouse that processes credit card payments.  Businesses that fail to protect customer data can also be subject to lawsuits and governmental prosecution.

PCI Compliance merchant standards are divided into 4 individual security PCI compliance levels.  Merchants verify their credit card processing level through their bank or clearinghouse that handles their credit card processing transactions.   The level is determined by measuring how many VISA or Mastercard transactions occur over a 12 month period.  The Payment Card Industry uses the merchant level to determine the appropriate security measures the merchant must follow based on risk to the cardholder. The amount of annual credit card processing transactions determine your PCI Compliance security level as follows:[1]

  1. Level 1 - Over 6 million VISA transactions per year or VISA designates the merchant as a Level 1 merchant
    • Validated by Report on Compliance (ROC) and by a Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment - or internal auditor if signed by officer of the company. The ROC is used to verify that the merchant being audited is compliant with the PCI DSS standard. PCI DSS policies and procedures were developed to enhance the security of card-based transactions and protect cardholders against fraud and other misuses of their personal information. PCI DSS was created as a collaborative effort of Visa, MasterCard, Discover and American Express.  The ROC must be filled out by the PCI Qualified Security Assessor (QSA) who has audited the merchant. The form is then submitted to the merchant's acquiring bank for acceptance. Once the merchant's acquiring bank has accepted the ROC, it sends the document on to Visa for compliance verification.]
    • Quarterly network scan by Approved Scan Vendor.
    • Attestation of Compliance Form.
  2. Level 2 - 1 million to 6 million VISA or MasterCard transactions per year. Validated by an Annual Self-Assessment Questionnaire,  a quarterly network scan by an Approved Scan Vendor and an attestation of compliance form.
  3. Level 3 - 20,000 to 1 million VISA transactions per year. Validated by VISA and MasterCard by an Annual Self-Assessment Questionnaire (SAQ), Quarterly network scan by an Approved Scan Vendor and an Attestation of Compliance Form.
  4. Level 4 - Less than 20,000 e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCard transactions per year. Validated by an annual self-assessment questionnaire, a quarterly network scan by and Approved Scan Vendor  and an Attestation of Compliance Form.

Develop an internal information security policy

This internal information security policy document should include detailed steps the company takes to secure customer data.  If your company is a level 1, 2 or 3 credit card processor as outlined above you should contract with a security professional or have dedicated staff to assist in writing and maintaining your companies information security policy.  If you are a level 4 merchant, try to contact your credit card clearinghouse for advice on how to create the information security policy document.  If your credit card clearinghouse isn't available to help, it is recommended to hire an independent security policy professional to help write the document.

Businesses must build and maintain a secure network

  1. Avoid discontinued credit card processing solutions that are no longer supported and maintained to meet PCI compliance standards, such as PC Charge.
  2. Develop a relationship with a trusted contractor like APS Payments.
  3. Do not try to install you own network that will store customer data.  This could expose your business to vulnerability if mistakes are made in the installation or update process.
  4. Change passwords regularly
  5. Do not disable firewalls and keep them operational and current.

New Call-to-action

Call the credit card processing experts at APS Payments to take the headache out of credit card processing!

Call us at 888-685-1900 to learn how to cut costs and benefit from the following streamlined credit card processing features:

  1. Convenient 24 hour access to payment processing and reporting
  2. PCI-DSS compliant at no additional cost
  3. Automated recurring billing
  4. Improved cash flow
  5. Fraud detection and prevention (volume thresholds, risk parameters)
  6. Reduce invoicing costs 
  7. No additional licensing fees
  8. Virtual Terminals (no integration needed, no software to install, simply use your web browser to securely log in to process transactions)
  9. Credit card tokenization for secure access to future customer transactions
  10. Real-time Payment Gateway 
  11. Level 3 supported gateway for US accounts, (significant savings for business to government or business to business transactions)
  12. Batch processing when real time approvals are not required 
  13. Some of the lowest Amex fees in the entire industry!
  14. Next Day Funding including AMEX making reconciliation process easier

 Sources and citations:

  1. http://www.wikihow.com/Become-PCI-Compliant

Topics: PCI Compliance

David Harper
Written by David Harper

Post a Comment